From 0772ddbae1be394c538f1d3529ea84434eadcf97 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 29 Oct 2004 22:38:10 +0000
Subject: r3377: Merge in first part of modified patch from Nalin Dahyabhai
 <nalin@redhat.com> for bug #1717.The rest of the code needed to call this
 patch has not yet been checked in (that's my next task). This has not yet
 been tested - I'll do this once the rest of the patch is integrated. Jeremy.
 (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)

---
 source3/libsmb/cliconnect.c |  2 +-
 source3/libsmb/clikrb5.c    | 47 ++++++++++++++++++++++++++++++++++++---------
 2 files changed, 39 insertions(+), 10 deletions(-)

(limited to 'source3/libsmb')

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 4ff60c1b1c..60691287e6 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -757,7 +757,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			int ret;
 			
 			use_in_memory_ccache();
-			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL);
+			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
 			
 			if (ret){
 				SAFE_FREE(principal);
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 5aa1668705..32a50464e0 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -81,7 +81,7 @@
 #endif
 
 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY)
- int create_kerberos_key_from_string(krb5_context context,
+ int create_kerberos_key_from_string_direct(krb5_context context,
 					krb5_principal host_princ,
 					krb5_data *password,
 					krb5_keyblock *key,
@@ -102,7 +102,7 @@
 	return ret;
 }
 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
- int create_kerberos_key_from_string(krb5_context context,
+ int create_kerberos_key_from_string_direct(krb5_context context,
 					krb5_principal host_princ,
 					krb5_data *password,
 					krb5_keyblock *key,
@@ -123,6 +123,27 @@
  __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS
 #endif
 
+int create_kerberos_key_from_string(krb5_context context,
+					krb5_principal host_princ,
+					krb5_data *password,
+					krb5_keyblock *key,
+					krb5_enctype enctype)
+{
+	krb5_principal salt_princ = NULL;
+	int ret;
+	/*
+	 * Check if we've determined that the KDC is salting keys for this
+	 * principal/enctype in a non-obvious way.  If it is, try to match
+	 * its behavior.
+	 */
+	salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
+	ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
+	if (salt_princ) {
+		krb5_free_principal(context, salt_princ);
+	}
+	return ret;
+}
+
 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
  krb5_error_code get_kerberos_allowed_etypes(krb5_context context, 
 					    krb5_enctype **enctypes)
@@ -251,6 +272,17 @@
 }
 #endif
 
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
+{
+#if !defined(HAVE_KRB5_FREE_DATA_CONTENTS)
+	if (pdata->data) {
+		krb5_free_data_contents(context, pdata);
+	}
+#else
+	SAFE_FREE(pdata->data);
+#endif
+}
+
 void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 {
 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
@@ -262,7 +294,7 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 #endif
 }
 
-krb5_boolean kerberos_compatible_enctypes(krb5_context context,
+BOOL kerberos_compatible_enctypes(krb5_context context,
 				  krb5_enctype enctype1,
 				  krb5_enctype enctype2)
 {
@@ -270,9 +302,9 @@ krb5_boolean kerberos_compatible_enctypes(krb5_context context,
 	krb5_boolean similar = 0;
 
 	krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
-	return similar;
+	return similar ? True : False;
 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
-	return krb5_enctypes_compatible_keys(context, enctype1, enctype2);
+	return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 #endif
 }
 
@@ -447,10 +479,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 
 	*ticket = data_blob(packet.data, packet.length);
 
-/* Hmm, heimdal dooesn't have this - what's the correct call? */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- 	krb5_free_data_contents(context, &packet); 
-#endif
+ 	kerberos_free_data_contents(context, &packet); 
 
 failed:
 
-- 
cgit